Chainguard, a cybersecurity startup, is doubling down on its mission to secure software supply chains from the ground up. In this episode of Secure By Design, Julian Dunn, Senior Director of Product Management at Chainguard, delves into the company’s latest product announcements, its philosophy of preemptive security, and why starting with clean, secure infrastructure is no longer optional for enterprises.

The shift from reactive to proactive security is a recurring theme in today’s tech landscape, and Dunn argues that the status quo of addressing vulnerabilities after deployment is unsustainable. “Security, like software quality, can’t be tacked on later,” he explains. “If you start with hundreds of vulnerabilities in your base image, you’re playing catch-up from day one.” This philosophy underpins Chainguard’s approach: building secure-by-default tools that eliminate technical debt before code ever reaches production.

The Problem: A Supply Chain Riddled With Risk

Modern applications are stitched together from thousands of open source dependencies, many of which harbor hidden flaws. Dunn emphasizes that while direct dependencies are usually scrutinized, transitive ones—nested libraries or build tools—often fly under the radar. “A typical app is 90% open source. Attackers exploit the weakest link in this sprawling network,” he says, citing supply chain attacks like the SolarWinds hack and malicious npm packages.

The stakes are rising. Threat actors are increasingly targeting the build and distribution stages of software pipelines rather than source code itself. For enterprises, the challenge is twofold: reducing attack surfaces across hybrid and multi-cloud environments while ensuring security doesn’t stifle developer productivity.

Chainguard’s Solution: Start Clean, Stay Clean

Chainguard Containers, the company’s flagship product, tackle vulnerabilities at the foundation: prebuilt, hardened container images with zero or near-zero Common Vulnerabilities and Exposures (CVEs). Unlike traditional Linux distributions that bundle bloated, outdated packages, Chainguard’s images are built from source daily, ensuring minimal footprints and rapid patching.

But containers alone aren’t enough. Dunn highlights Chainguard VMs, a new offering designed to secure container hosts—the virtual machines that run Kubernetes clusters across clouds. “Even if your containers are secure, the host OS can be a blind spot,” he says. The first Chainguard VM image is optimized for Amazon EKS and supports multi-cloud deployments, addressing a critical gap for enterprises juggling hybrid infrastructure.

Streamlining Security for Developers

A recurring theme in the conversation was the need to integrate security seamlessly into developer workflows. To this end, Chainguard launched a Dockerfile Converter (currently in beta) that analyzes existing Dockerfiles and recommends secure alternatives for Chainguard images. “Migrating shouldn’t mean rewriting your entire stack,” Dunn notes.

The company also expanded its Custom Assembly service, allowing enterprises to mix and match components from Chainguard’s container images to build tailored runtimes at scale. For example, a company using both Node.js and PHP can merge these into a single image without compromising security—a boon for monolithic applications.

Looking Ahead: Beyond Containers and Into Reporting

Chainguard isn’t stopping at containers and VMs. Dunn teased plans to expand its source-code-to-artifact security model to other ecosystems beyond Java, which was the first target due to customer demand. The company is also doubling down on its CED (CVE Evolution Dashboard) visualization tool, which quantifies risk reduction over time. “Customers want to measure not just vulnerabilities but the toil and cost saved by avoiding them,” Dunn said, hinting at enhanced reporting features to help security teams justify investments.

Why It Matters

For enterprises, Chainguard’s approach represents a paradigm shift: security isn’t about blocking developers but empowering them with tools that “do the right thing by default.” In a world where attackers are constantly probing for weak links, starting with clean, actively maintained infrastructure isn’t just best practice—it’s a necessity.

As cyberattacks grow more sophisticated, Chainguard’s proactive stance could set a new benchmark for securing the software supply chain—one that balances rigor with usability in an era of unprecedented complexity.

Guest: Julian Dunn
Company: Chainguard
Show: Secure By Design